Skip to content

Commit d45b9ed

Browse files
RoRoJRoRoJ
committed
feat(vpc): use case
1 parent f10e9d4 commit d45b9ed

File tree

2 files changed

+42
-86
lines changed

2 files changed

+42
-86
lines changed

network/vpc/reference-content/assets/scaleway-vpc-infra-1.webp

108 KB
Loading

network/vpc/reference-content/use-case-basic.mdx

Lines changed: 42 additions & 86 deletions
Original file line numberDiff line numberDiff line change
@@ -19,110 +19,66 @@ Knowing how to create, combine and configure resources such as Private Networks
1919

2020
This is the first in a series of use cases designed to show you potentially interesting and useful infrastructures, illustrating how to use VPC and other network products to achieve a robust, secure and scalable cloud environment.
2121

22-
## Private Networks and VPC definitions
22+
## Overview
2323

24-
VPC allows you to build your own **V**irtual **P**rivate **C**loud on top of Scaleway's shared public cloud. Within each VPC, you can create **Private Networks**. Resources attached to Private Networks can communicate securely between themselves, away from the public internet, reducing security risks by ensuring traffic is isolated from public routes.
24+
The architecture diagram below shows the infrastructure for this use-case.
2525

26-
The VPC operates at the network layer (layer 3) of the OSI model, while Private Networks are a layer 2 resource. As such, a VPC is responsible for routing packets between its different Private Networks. Private Networks provide network isolation within a VPC and enable you to segment your resources and traffic across different subnets.
26+
<Lightbox src="scaleway-vpc-infra-1.webp" size="large" alt="An architecture diagram shows how a Load Balancer inside a Scaleway VPC is attached to a Private Network. Also attached to the Private Network are three Instances (connected to Block Storage), a Managed Database and a Public Gateway. Users acces resources via a domain name which a Domains and DNS entry points to the Load Balancer's public flexible IP address. The Load Balancer distributes requests to the three Instances, which do not have public IP addresses. Instances can privately retrieve and store data in the Managed Database and Block Storage. The Public Gateway also has a flexible IP address, which allows admins to connect to resources in the Private Network via SSH bastion. The gateway's public flexible IP also allows connections to Scaleway resources outside the VPC, e.g. Object Storage, Transactional Email, Nats, Queues, Topics and Events, Serverless products and Secret Manager." />
2727

28-
VPCs and Private Networks are both **regional** resources. When you create a Private Network in a VPC, it is necessarily scoped to the same region as the VPC. Some Scaleway resources are also regional, others are zonal and scoped to a single Availability Zone (AZ). When attaching resources to a Private Network, you can attach resources from any AZ within the Private Network's region, allowing for example an Elastic Metal server in PAR-2 to communicate securely, away from the public internet, with an Instance in PAR-1 and a Managed Database in PAR-3.
28+
This is a basic infrastructure to leverage VPC isolation:
2929

30-
<Lightbox src="scaleway-vpc-schema.webp" alt="A graphic shows how resources in three different AZs are connected and isolated from the internet by a Private Network in the Paris region." />
30+
- The **Scaleway VPC** contains one **Private Network, to which a **Load Balancer** is attached
31+
- Users access an application via a domain name
32+
- The domain name's DNS record points to the public flexible IP of the Load Balancer.
33+
- The Load Balancer distributes traffic to multiple **Instances** also attached to the Private Network
34+
- The Instances do not have their own public (flexible) IP addresses, and are accessible only from inside the VPC.
35+
- The Instances can store data to and retrieve data from a **Managed Database** attached to the same Private Network, without going through the public Internet.
36+
- The **Public Gateway** attached to the Private Network has its own public flexible IP address, which administrators can use to access Instances and other resources in the VPC.
37+
- The Instances can access services outside the VPC (e.g. hosted on other Scaleway resources) via the Public Gateway.
3138

32-
| Region | Availability Zones |
33-
|-------------------------|---------------------------|
34-
| France - Paris | PAR1, PAR2, PAR3 |
35-
| Netherlands - Amsterdam | AMS1, AMS2, AMS3 |
36-
| Poland - Warsaw | WAW1, WAW2, WAW3 |
39+
## Advantages
3740

38-
One default VPC for each region is automatically created in each Scaleway [Project](/identity-and-access-management/organizations-and-projects/concepts/#project). The [**VPC routing**](/network/vpc/concepts/#routing) feature allows for managed and custom routes between the Private Networks of a VPC, so resources on different Private Networks can communicate.
3941

40-
<Lightbox src="scaleway-routing-diag.webp" alt="A diagram shows two Private Networks inside a VPC. A route table on a virtual router sits inside the VPC, and the route table is synchronized to each resource attached to the VPC's Private Networks. An Instance on Private Network A is able to send a packet to an Instance on Private Network B. An Elastic Metal server on Private Network A is able to send a packet to the public internet via the Public Gateway also on Private Network A." />
4142

42-
## Designing your network topology
43+
Advantages:
44+
VPC Isolation:
4345

44-
When you start creating resources and building your infrastructure with Scaleway, take some time to consider and plan your network topology. We recommend that you build your VPC infrastructure with **separation of concerns** in mind. Separation of concerns is a fundamental design principle aimed at breaking down large complex systems into smaller, distinct components each with clear responsibilities and interfaces. This kind of design will future-proof your VPC and come into its own when Scaleway introduces further features such as ACLs for VPC.
46+
By using a Virtual Private Cloud (VPC), resources are isolated within a private network, enhancing security. Only authorized services and users can access the resources inside the VPC, reducing exposure to potential threats.
47+
Load Balancer:
4548

46-
Separating resources into different Private Networks according to function and usage can:
47-
- **Improve network performance** by reducing broadcast traffic and congestion
48-
- **Enhance manageability** via a logical organization of resources
49-
- **Enable easier troubleshooting, monitoring and maintenance**
50-
- **Allow for easier scalability**
49+
The Load Balancer distributes traffic across multiple Instances (virtual machines), improving scalability and reliability. If one instance fails, the load balancer redirects traffic to healthy ones, ensuring high availability.
50+
Private Network for Sensitive Resources:
5151

52-
For example, you may use one Private Network for frontend resources and another for backend resources, limiting public access only via Load Balancers and/or Public Gateways, stripping other resources of public IP addresses. You may want to create different VPCs for production and test environments, allowing you to isolate potential errors in testing from the production environment.
52+
The infrastructure separates resources like the Managed Database behind the private network, ensuring sensitive data is not directly exposed to the internet.
53+
Public Gateway with Flexible IP:
5354

54-
When [creating a Private Network](/network/vpc/how-to/create-private-network/), you can let Scaleway automatically generate a CIDR block for it that is guaranteed to be unique in this VPC. All resources attached to the Private Network get a private IP address from this block. However, you also have the option to define your own CIDR block for the network. Ensure you choose a prefix and network size that is appropriate for your needs, does not overlap with that of any other Private Network in the VPC, and contains enough IP addresses for all resources that will be attached to the Private Network.
55+
The Public Gateway allows controlled access to and from the VPC, enabling secure communication with external services. The Flexible IP offers static IP addresses, which are beneficial for setting up secure, consistent connections (e.g., for whitelisting or DNS records).
56+
Block and Object Storage:
5557

56-
## Attaching resources to Private Networks
58+
Block Storage is useful for persistent data needs (e.g., file systems for applications), while Object Storage outside the VPC is optimal for handling large amounts of unstructured data (e.g., backups, images, logs).
59+
Scalable External Services:
5760

58-
When you attach a resource (e.g. an Instance, an Elastic Metal server) to a Private Network, you can either:
59-
- Let Scaleway automatically assign any IP address from the Private Network's CIDR block to use for the attachment, or
60-
- Define a specific, reserved IP address from the CIDR block to use for the attachment.
61+
The ability to connect to external services like Transactional Email, Serverless, and NATS, Queues, Topics, and Events gives flexibility for event-driven architectures, asynchronous processing, and scaling as needed without overloading core VPC resources.
62+
Security Features:
6163

62-
### Auto-assigning an IP address
64+
Resources like the Secret Manager help securely store sensitive credentials and keys, improving overall security management.
65+
Applications:
66+
E-commerce Platforms:
6367

64-
This solution is best for simplicity, dynamic environments, and short-lived resources. It can be especially useful in large-scale deployments where manual IP management could be cumbersome. When you let Scaleway automatically assign IP addresses, we ensure there are no IP conflicts within your VPC, reducing any risk of human error.
68+
This setup is perfect for an e-commerce platform, which needs a scalable backend (instances and block storage), secure payment systems (private database access), and public-facing components (load balancer and public gateway) for handling user traffic efficiently.
69+
Web Applications:
6570

66-
Note that when you select this option, the IP address randomly assigned to the resource will be stable, and does not risk changing until you detach the resource from the Private Network. At this point, the private IP address is released back into the pool of generally available addresses from the network's CIDR block, and may be auto-assigned to another resource requesting attachment.
71+
Web apps that handle high traffic can benefit from the load balancer and instances, ensuring uptime and availability. These applications can scale horizontally as demand increases, making it suitable for apps like SaaS products, social networks, or content platforms.
72+
Enterprise Applications:
6773

68-
### Using reserved IP addresses
74+
Enterprises handling sensitive data (HR systems, CRMs, etc.) can use the VPC’s isolation and private networking to secure internal services, while still allowing selective access via the public gateway.
75+
Microservices Architectures:
6976

70-
You can reserve private IP addresses from your Private Networks' CIDR blocks thanks to Scaleway's [**IP A**ddress **M**anagement solution](/network/ipam/), which helps you plan, track and manage the IP address space of your VPCs and their Private Networks. From the [IPAM space](https://console.scaleway.com/ipam/) in the Scaleway console, simply use the **Reserve private IP** feature to select the Private Network you want to reserve an IP address on, and choose to either reserve any available address, or a specific address not currently attached to any resource. The reserved address will then not risk being auto-assigned by Scaleway to other resources during network attachment, and can be kept until you are ready to use it to attach a specific resource.
71-
72-
Further, when you attach a resource to a Private Network and specify a reserved IP to use, the IP will remain reserved even after you detach the resource from the network. You can choose to either release the IP back into the pool, or keep it reserved until you use it to attach another resource.
73-
74-
Using reserved IP addresses is ideal to ensure that certain IP addresses are never released into the general pool and kept for certain critical resources with fixed IP requirements, even when that resource is detached from the Private Network, or when migrating between resources. Reserved IP addresses may also be useful where your Private Network is extending or integrating with external networks, or to assign addresses to virtual machines hosted on Elastic Metal servers via Proxmox.
75-
76-
## Removing public IPs from resources
77-
78-
We strongly recommend that you disable public connectivity on all of your Scaleway resources, unless it is absolutely required. It is preferable to attach resources to Private Networks wherever possible, and direct all traffic to the resource's private IP address on that network. This ensures optimal security, reduced cost and enhanced latency. Find out more in our documentation about [public connectivity best practices](/network/ipam/reference-content/public-connectivity-best-practices).
79-
80-
## Public connectivity over Private Networks
81-
82-
### Public Gateways
83-
84-
You can use Scaleway [Public Gateways](/network/public-gateways/) to provide resources on a Private Network with a secure point of access to and from the public internet.
85-
86-
- Set the Public Gateway to advertize a default route to the internet, allowing attached resources to send packets to the internet via the gateway, without needing their own public IP address.
87-
- Activate the [SSH bastion](/network/public-gateways/how-to/use-ssh-bastion/) so that you can establish SSH connections to resources on the Private Network via the gateway's bastion.
88-
- Use static NAT to map ingress traffic from the public internet towards resources on the Private Network, using private IP addresses and ports.
89-
90-
### Load Balancers
91-
92-
Another option is to attach a Scaleway [Load Balancer](/network/load-balancer/) to the Private Network. By giving the Load Balancer a public IP address, and configuring Instances on the Private Network as backend servers for the Load Balancer via their private IP addresses, the Load Balancer can securely and efficiently distribute traffic to the Instances. This solution is suitable when you have multiple Instances serving the same application, although you can also use multiple frontends/backends and [routes](/network/load-balancer/how-to/create-manage-routes/) to direct traffic to specific server pools.
93-
94-
You can also disable public connectivity on the Load Balancer itself. This may be relevant if the Load Balancer is configured to receive and distribute traffic from resources on a different Private Network within the same VPC, for example.
95-
96-
## Connecting a VPC to external infrastructure
97-
98-
Watch this space for Scaleway's upcoming solution to provide private, secure connectivity between resources in a Scaleway VPC and your external or on-premises architecture. In the meantime, you may consider installing a manual VPN on a Scaleway Instance to connect to other non-Scaleway infrastructure, and create a [custom route](/network/vpc/how-to/manage-routing/#how-to-create-a-custom-route) towards this VPN so traffic on your Private Network can securely communicate with resources at the other end of your VPN tunnel.
99-
100-
## Resource-specific information
101-
102-
Different types of Scaleway resources may have different requirements and possibilities in terms of Private Networks. See the comparative table below for more information, and to jump to the resource-specific documentation on Private Networks for each product.
103-
104-
* **Max attached PNs**: The maximum number of Private Networks that a resource can be attached to
105-
* **Mandatory PN**: Whether or not a Private Network must necessarily be attached to this resource
106-
* **Compatible with private IPv6**: Whether or not the resource is compatible with private IPv6 addressing. Compatible resources generally acquire both an IPv4 and an IPv6 address when attached to a Private Network.
107-
* **Compatible with reserved IPs**: Whether or not you can use a [reserved IP](/network/ipam/how-to/reserve-ip/#how-to-attach-a-resource-to-a-private-network-using-a-reserved-ip-address/) to attach the resource to a Private Network
108-
109-
| | Instance | Elastic Metal | Kubernetes | Managed Inference |
110-
|------------------------------|----------|---------------|------------|-------------------|
111-
| Max attached PNs | 8 | 8 | 1 | 1 |
112-
| Mandatory PN | No | No | Yes | No |
113-
| Compatible with private IPv6 | Yes | Yes | Yes | No |
114-
| Compatible with reserved IPs | Yes | Yes | No | No |
115-
| Additional information | -- | [Paid-for <br />feature](https://www.scaleway.com/en/pricing/elastic-metal/#network) | PN cannot be changed <br />after cluster creation | Must have at least one of <br/> private and/or public endpoint |
116-
| Documentation | [Go](/compute/instances/how-to/use-private-networks/) | [Go](/bare-metal/elastic-metal/how-to/use-private-networks/) | [Go](/containers/kubernetes/reference-content/secure-cluster-with-private-network/#why-have-a-private-network-for-your-kubernetes-kapsule-cluster) | [Go](/ai-data/managed-inference/how-to/managed-inference-with-private-network/) |
117-
118-
119-
| | Managed Database | Managed Database for Redis™ | Public Gateways | Load Balancer |
120-
|------------------------------|------------------|-----------------------------|-----------------|---------------|
121-
| Max attached PNs | 1 | 1 | 8 | 8 |
122-
| Mandatory PN | No | No | No | No |
123-
| Compatible with private IPv6 | No | No | No | No |
124-
| Compatible with reserved IPs | No | No | Yes | Yes |
125-
| Additional information | Must have at least one of <br/> private and/or public endpoint | Must have at least one of <br/> private and/or public endpoint | -- | Private LBs must have a PN |
126-
| Documentation | [Go](/managed-databases/postgresql-and-mysql/how-to/connect-database-private-network/) | [Go](/faq/databases-for-redis/#what-is-the-private-networks-feature-for-redistm-database-instances) | [Go](/network/public-gateways/how-to/configure-a-public-gateway/#how-to-attach-a-public-gateway-to-a-private-network) | [Go](/network/load-balancer/how-to/use-with-private-network/)
77+
This infrastructure supports microservices, where each service can be independently deployed on different instances or as serverless functions, using the load balancer to distribute requests and queues to manage communication between services.
78+
Data Analytics and Big Data Processing:
12779

80+
Applications requiring high-performance data processing (e.g., data analytics platforms, ETL pipelines) can use managed databases and block storage for internal data while storing large datasets in external object storage. Event-driven data workflows can be handled by the external NATS, Queues, Topics, and Events service.
81+
Mobile or Web Backends:
12882

83+
For mobile apps, this infrastructure can support a robust backend with an API gateway (public gateway), managing API calls securely and scaling as user demand grows.
84+
This setup provides a well-rounded, scalable, and secure foundation for a wide range of applications, particularly those requiring separation of public-facing and private resources.

0 commit comments

Comments
 (0)